Chapter 3 Flashcards
Megan runs the following Nmap scan:
nmap -sU -sT -p 1-65535 example.com
What information will she not receive?
A. TCP services
B. The state of the service
C. UDP services
D. A list of vulnerable services
D. A list of vulnerable services
Tom wants to find metadata about an organization using a search engine.
What tool from the
following list should he use?
A. ExifTool
B. MetaSearch
C. FOCA
D. Nmap
C. FOCA (Fingerprinting Organizations with Collected Archives)
ExifTool is for individual files
After running an Nmap scan of a system, Zarmeena discovers that TCP ports 139, 443, and
3389 are open. What operating system is she most likely to discover running on the system?
A. Windows
B. Android
C. Linux
D. iOS
A. Windows
Charles runs an Nmap scan using the following command:
nmap -sT -sV -T2 -p 1-65535 example.com
After watching the scan run for over two hours, he realizes that he needs to optimize the
scan. Which of the following is not a useful way to speed up his scan?
A. Only scan via UDP to improve speed.
B. Change the scan timing to 3 or faster.
C. Change to a SYN scan.
D. Use the default port list
A. Only scan via UDP to improve speed.
Karen identifies TCP ports 8080 and 8443 open on a remote system during a port scan.
What tool is her best option to manually validate the services running on these ports?
A. SSH
B. SFTP
C. Telnet
D. A web browser
D. A web browser
(Admins shift servicers from common ports to different ones, she can use a browser to check)
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration
test and wants to examine it for useful metadata.
What tool could she most successfully use
to do this?
A. ExifTool
B. Grep
C. PsTools
D. Nginx
A. ExifTool
During an Nmap scan, Casey uses the -O flag. The scan identifies the host as follows:
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
What can she determine from this information?
D. That the system is running a Linux 2.6 kernel between .9 and .33
What is the full range of ports that a UDP service can run on?
A. 1–1024
B. 1–16,383
C. 1–32,767
D. 1–65,535
D. 1–65,535
(for both TCP and UDP)
Steve is working from an unprivileged user account that was obtained as part of a penetration test. He has discovered that the host he is on has Nmap installed, and he wants to scan
other hosts in his subnet to identify potential targets as part of a pivot attempt.
What Nmap
flag will Steve probably have to use to successfully scan hosts from this account?
A. -sV
B. -u
C. -oA
D. -sT
D. -sT
(Used when an underprivileged account is the tester’s only option)
Which of the following provides information about a domain’s registrar and
physical location?
A. Nslookup
B. host
C. WHOIS
D. traceroute
C. WHOIS
Chris runs an Nmap scan of the 10.10.0.0/16 network that his employer uses as an internal
network range for the entire organization.
If he uses the -T0 flag, what issue is he likely to
encounter?
A. The scan will terminate when the host count reaches 0.
B. The scan will not scan IP addresses in the .0 network.
C. The scan will progress at a very slow speed.
D. The scan will only scan for TCP services.
C. The scan will progress at a very slow speed.
Which of the following Nmap output formats is unlikely to be useful for a penetration tester?
A. -oA
B. -oS
C. -oG
D. -oX
B. -oS
(this is a script kiddie output format, should never be used for a real pen test.
During an early phase of his penetration test, Mike recovers a binary executable file that he
wants to quickly analyze for useful information. Which of the following will quickly give him
a view of potentially useful information in the binary?
A. Netcat
B. strings
C. Hashmod
D. Eclipse
B. strings
(parses a file for strings of text and outputs them)
Jack is conducting a penetration test for a customer in Japan. What NIC will he most likely
have to check for information about his client’s networks?
A. RIPE
B. ARIN
C. APNIC
D. LACNIC
C. APNIC
(covers Asia-Pacific Asia, Australia, New Zealand) RESEARCH THE OTHERS AS WELL
Lin believes that the organization she is scanning may have load balancers in use.
Which of
the following techniques will help her detect them if they are DNS-based load balancers?
A. Use Nmap and look for service port differences.
B. Use ping and check for TTL and IP changes.
C. Use Nessus and check for service version differences.
D. Use WHOIS to check for multiple hostnames.
B. Use ping and check for TTL and IP changes.
Charles uses the following hping command to send traffic to a remote system:
hping remotesite.com -S -V -p 80
What type of traffic will the remote system see?
A. HTTP traffic to TCP port 80
B. TCP SYNs to TCP port 80
C. HTTPS traffic to TCP port 80
D. A TCP three-way handshake to TCP port 80
B. TCP SYNs to TCP port 80
(-s is SYN traffic in verbose mode -v)
What does a result of * * * mean during a traceroute?
A. No route to the host exists.
B. All hosts are queried.
C. There is no response to the query, perhaps a timeout, but traffic is going through.
D. A firewall is blocking responses.
C. There is no response to the query, perhaps a timeout, but traffic is going through.
(Many hosts are configured to not respond to this type of
traffic but will route traffic properly)
Rick wants to describe flaws found in an organization’s internally developed web applications using a standard model. Which of the following is best suited to his need?
A. CWE
(Common Weakness Enumeration, community developed list of hardware and software weaknesses)
Why would a penetration tester look for expired certificates as part of an information gathering and enumeration exercise?
A. They indicate improper encryption, allowing easy decryption of traffic.
B. They indicate services that may not be properly updated or managed.
C. Attackers install expired certificates to allow easy access to systems.
D. Penetration testers will not look for expired certificates; they only indicate procedural
issues.
B. They indicate services that may not be properly updated or managed.
(Attackers love indicators of improper maintenance)
John has gained access to a system that he wants to use to gather more information about
other hosts in its local subnet. He wants to perform a port scan but cannot install other tools
to do so.
Which of the following tools isn’t usable as a port scanner?
A. Hping
B. Netcat
C. Telnet
D. ExifTool
D. ExifTool
Important ports
22
23
25
53
80
88
110
443
1433
22 TCP,UDP SSH
23 TCP, UDP Telnet
25 TCP, UDP SMTP
(email)
53 UDP DNS
80 TCP, UDP HTTP
88 TCP, UDP Kerberos
110 TCP, UDP POP3
443 TCP, UDP HTTPS
1433 TCP Microsoft SQL Server
What is nmap scan -sS?
TCP SYN scan, fast scan that tends to work through most firewalls
What is nmap scan -sT
TCP connect “full connect” does a three-way handshake, used typically when the nmap account doesn’t have privilege needed create raw packets
What is nmap scan -sU
UDP-only scan
